Drives and Controls Magazine
PLC vulnerability can be attacked using ’low’ skill levels
Published:  02 March, 2021

Cyber-researchers have discovered a “severe” vulnerability in a mechanism that verifies communications between Rockwell Automation PLCs and engineering software. Exploiting this flaw could allow an attacker to connect remotely to almost any of Rockwell’s Logix PLCs (programmable logic controllers) – as well as its drives and safety controllers that use the Logix technology – and to upload malicious code, download information from the PLC, or install new firmware.

The US Government’s Cybersecurity and Infrastructure Security Agency (Cisa) has warned that the vulnerability could be exploited remotely by attackers with a “low” skill level. Using the CVSS (Common Vulnerability Scoring System) rating scheme, Cisa gives the vulnerability a score of 10 – the highest possible.

The vulnerability was co-discovered independently in 2019 by cyber-researchers at Claroty, Kaspersky and Soonchunhyang University in South Korea. As usually happens in such cases, they warned Rockwell Automation about the vulnerability to allow it to take appropriate action. The discovery has now been made public via an ICS-Cert advisory published by Cisa.

The vulnerability affects Rockwell’s Studio 5000 Logix Designer (versions 21 and later) and RSLogix 5000 (versions 16-20) engineering software, and many of its Logix controllers, including CompactLogix, ControlLogix, DriveLogix, GuardLogix and SoftLogix models. The ICS-Cert advisory has a full listing.

The vulnerability exists because the software uses a key to verify communications with the Logix controllers. A remote, unauthenticated attacker could bypass this verification mechanism and connect directly to the controllers.

An attacker who extracted the key would be able to authenticate to any Rockwell Logix controller. These keys sign all communications digitally with the PLCs, which verify the signature and authorise communication with the software. An attacker using the key could mimic a workstation and thus to manipulate configurations or code running on the PLC, potentially affecting manufacturing processes.

In response to the discovery, Rockwell Automation has issued a security advisory describing how the vulnerability affects the Studio 5000 Logix Designer software and associated controllers.

The newly-revealed vulnerability involves communications between Rockwell Automation’s Studio 5000 software (above) and its Logix controllers

It recommends several possible mitigations, including putting the controller’s mode switch to “run” mode, and deploying CIP Security for Logix Designer connections. When deployed properly, this prevents unauthorised connections. If it is not possible to implement the run mode, Rockwell suggests other measures depending on the model of Logix controller affected.

Rockwell is also recommending several generic mitigations to blunt the effects of the vulnerability, starting with network segmentation and security controls such as minimising the exposure of control systems to networks or to the Internet. Control systems, it says, should be behind firewalls and be isolated from other networks whenever feasible. It also recommends implementing secure remote access – at a minimum, using a VPN to connect to a device.

The ICS-Cert advisory includes all of Rockwell’s mitigation advice, including recommendations for each product family and version. It also recommends several detection methods that users can apply if they suspect that their configurations have been modified.

The advisory says that there are no known public exploits targeting the vulnerability.

• The widespread nature of potential vulnerabilities in industrial control systems is highlighted by the fact that ICS-Cert has already issued more than 50 advisory notices so far this year. Companies whose products are covered by these advisories include Advantech, Delta Electronics, Eaton, Fuji Electric, GE, Honeywell, Horner, Johnson Controls, Mitsubishi Electric, Omron, Panasonic, Pro-Soft, Red Lion, Schneider Electric, Siemens and Wago.